We have heard of phishing attacks, but there is a new kind of social engineering that uses the cell phone to trick the victim in a very easy and effective way.
A Symantec video explains a new social engineering method attackers use to compromise any account e-mail.
The idea is simple: if you want to reset someone's password, all you really need is their mobile number.
The anatomy of the attack on the video is quite simple, but it is surprisingly effective:
Send the victim of a text from an unknown number, warning the victim to receive a password to ensure his Google account is secure and asking him to respond with the code to confirm it.
Προκαλέστε την procedure επαναφοράς κωδικού πρόσβασης στο Gmail, η οποία θα στέλνει ένα μήνυμα που περιέχει έναν κωδικό ξεκλειδώματος στο τηλέφωνο του θύματος.
The user receives the code we have already reported and will send it back to the attacker
So the attacker can unlock the Gmail account without any problems
The video presents the new concept that would probably be quite effective for too many mobile owners.
If not most, many would probably answer an unknown number simply assuming it is really the company.
The same attack could also be used to bypass services that use auditing identity δύο παραγόντων, αν και αξίζει να σημειωθεί ότι η Google στέλνει SMS αν έχει ρυθμιστεί ο συγκεκριμένος control identity.
The problem with this kind of attack is that no one can stop it. The only measure of protection is to educate users, which will reduce the risk of falling into such traps.
So at some point you get a message from any number asking for your password, confirmation code or any other personal information, you should not answer.
There is no reason to ask you for the above (or any other) information via SMS.
